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Abstract. Random number generators (RNGs) play a crucial role in many cryptographic schemes and proto- 
cols, but their security proof usually assumes that their internal state is initialized with truly random seeds and 
remains secret at all times. However, in many practical situations these are unrealistic assumptions: The seed is 
often gathered after a reset/reboot from low entropy external events such as the timing of manual key presses, 
and the state can be compromised at unknown points in time via side channels or penetration attacks. The usual 
remedy (used by all the major operating systems, including Windows, Linux, FreeBSD, MacOS, iOS, etc.) is to 
periodically replenish the internal state through an auxiliary input with additional randomness harvested from 
the environment. However, recovering from such attacks in a provably correct and computationally optimal way 
had remained an unsolved challenge so far. 

In this paper we formalize the problem of designing an efficient recovery mechanism from state compromise, 
by considering it as an online optimization problem. If we knew the timing of the last compromise and the 
amount of entropy gathered since then, we could stop producing any outputs until the state becomes truly 
random again. However, our challenge is to recover within a time proportional to this optimal solution even in 
the hardest (and most realistic) case in which (a) we know nothing about the timing of the last state compromise, 
and the amount of new entropy injected since then into the state, and (b) any premature production of outputs 
leads to the total loss of all the added entropy used by the RNG, since the attacker can use brute force to 
enumerate all the possible low-entropy states. In other words, the challenge is to develop recovery mechanisms 
which are guaranteed to save the day as quickly as possible after a compromise we are not even aware of. The 
dilemma that we face is that any entropy used prematurely will be lost, and any entropy which is kept unused 
will delay the recovery. 

After developing our formal definitional framework for RNGs with inputs, we show how to construct a nearly 
optimal RNG which is secure in our model. Our technique is inspired by the design of the Fortuna RNG (which 
is a heuristic RNG construction that is currently used by Windows and comes without any formal analysis), 
but we non-trivially adapt it to our much stronger adversarial setting. Along the way, our formal treatment of 
Fortuna enables us to improve its entropy efficiency by almost a factor of two, and to show that our improved 
construction is essentially tight, by proving a rigorous lower bound on the possible efficiency of any recovery 
mechanism in our very general model of the problem. 

1 Introduction 

Randomness is essential in many facets of cryptography, from the generation of long-term cryptographic 
keys, to sampling local randomness for encryption, zero-knowledge proofs, and many other randomized 
cryptographic primitives. As a useful abstraction, designers of such cryptographic schemes assume a source 
of (nearly) uniform, unbiased, and independent random bits of arbitrary length. In practice, however, this 
theoretical abstraction is realized by means of a Random Number Generator (RNG), whose goal is to 
quickly accumulate entropy from various physical sources in the environment (such as keyboard presses or 
mouse movement) and then convert it into the required source of (pseudo) random bits. We notice that a 
highly desired (but, alas, rarely achieved) property of such RNGs is their ability to quickly recover from 

* Research partially supported by gifts from VMware Labs and Google, and NSF grants 1319051, 1314568, 1065288, 1017471. 
** Research partially supported by gift from Google and NSF grants 1347350, 1314722. 



various forms of state compromise, in which the current state S of the RNG becomes known to the attacker, 
either due to a successful penetration attack, or via side channel leakage, or simply due to insufficient 
randomness in the initial state. This means that the state S of practical RNGs should be periodically 
refreshed using the above-mentioned physical sources of randomness /. In contrast, the simpler and much 
better-understood theoretical model of pseudorandom generators (PRGs) does not allow the state to be 
refreshed after its initialization. To emphasize this distinction, we will sometimes call our notion an "RNG 
with input", and notice that virtually all modern operating systems come equipped with such an RNG with 
input; e.g., /dev/random [Wik04] for Linux, Yarrow [KSF99] for MacOs/iOS/FreeBSD and Fortuna [FS03] 
for Windows [Ferl3]. 

Unfortunately, despite the fact that they are widely used and often referred to in various standards [ISOll, 
Killl,ESC05,BK12], RNGs with input have received comparatively little attention from theoreticians. The 
two notable exceptions are the works of Barak and Halevi [BH05] and Dodis et al. [DPR + 13]. The pioneer- 
ing work of [BH05] emphasized the importance of rigorous analysis of RNGs with input and laid their first 
theoretical foundations. However, as pointed out by [DPR + 13], the extremely clean and elegant security 
model of [BH05] ignores the "heart and soul" issue of most real- world RNGs with input, namely, their 
ability to gradually "accumulate" many low-entropy inputs / into the state S at the same time that they 
lose entropy due to premature use. In particular, [DPR + 13] showed that the construction of [BH05] (proven 
secure in their model) may always fail to recover from state compromise when the entropy of each input 
I±, . . . ,I q is sufficiently small, even for arbitrarily large q. 

Motivated by these considerations, Dodis et al. [DPR+13] defined an improved security model for RNGs 
with input, which explicitly guaranteed eventual recovery from any state compromise, provided that the 
collective fresh entropy of inputs I\ , . . . , I q crosses some security threshold 7* , irrespective of the entropies 
of individual inputs Ij. In particular, they demonstrated that Linux's /dev/random does not satisfy their 
stronger notion of robustness (for similar reasons as the construction of [BH05]), and then constructed a 
simple scheme which is provably robust in this model. However, as we explain below, their robustness model 
did not address the issue of efficiency of the recovery mechanism when the RNG is being continuously used 
after the compromise. 

The Premature Next Problem. In this paper, we extend the model of [DPR + 13] to address some 
additional desirable security properties of RNGs with input not captured by this model. The main such 
property is resilience to the "premature next attack". This general attack, first explicitly mentioned by 
Kelsey, Schneier, Wagner, and Hall [KSWH98], is applicable in situations in which the RNG state S has 
accumulated an insufficient amount of entropy e (which is very common in bootup situations) and then must 
produce some outputs R via legitimate "next" calls in order to generate various system keys. Not only is this 
R not fully random (which is expected), but now the attacker can potentially use R to recover the current 
state S by brute force, effectively "emptying" the e bits of entropy that S accumulated so far. Applied 
iteratively, this simple attack, when feasible, can prevent the system from ever recovering from compromise, 
irrespective of the total amount of fresh entropy injected into the system since the last compromise. 

At first, it might appear that the only way to prevent this attack is by discovering a sound way to 
estimate the current entropy in the state and to use this estimate to block the premature next calls. This is 
essentially the approach taken by Linux's /dev/random and many other RNGs with input. Unfortunately, 
sound entropy estimation is hard or even infeasible [SV03, FS03] (e.g., [DPR+13] showed simple ways to 
completely fool Linux's entropy estimator). This seems to suggest that the modeling of RNGs with input 
should consider each premature next call as a full state compromise, and this is the highly conservative 
approach taken by [DPR+13] (which we will fix in this work). 

Fortuna. Fortunately, the conclusion above is overly pessimistic. In fact, the solution idea already comes 
from two very popular RNGs mentioned above, whose designs were heavily affected by the desire to overcome 
the premature next problem: Yarrow (designed by Schneier, Kelsey and Ferguson [KSF99] and used by 
MacOS/iOS/FreeBSD), and its refinement Fortuna (subsequently designed by Ferguson and Schneier [FS03] 
and used by Windows [Ferl3]). The simple but brilliant idea of these works is to partition the incoming 
entropy into multiple entropy "pools" and then to cleverly use these pools at vastly different rates when 
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producing outputs, in order to guarantee that at least one pool will eventually accumulate enough entropy 
to guarantee security before it is "prematurely emptied" by a next call. (See Section 4 for more details.) 

Ferguson and Schneier provide good security intuition for their Fortuna "pool scheduler" construction, 
assuming that all the RNG inputs I\, . . . ,I q have the same (unknown) entropy and that each of the pools can 
losslessly accumulate all the entropy that it gets. (They suggest using iterated hashing with a cryptographic 
hash function as a heuristic way to achieve this.) In particular, if q is the upper bound on the number of 
inputs, they suggest that one can make the number of pools P = log 2 q, and recover from state compromise 
(with premature next!) at the loss of a factor 0(\ogq) in the amount of fresh entropy needed. 

Our Main Result. Inspired by the idea of Fortuna, we formally extend the prior RNG robustness notion 
of [DPR+13] to robustness against premature next. Unlike Ferguson and Schneier, we do so without making 
any restrictive assumptions such as requiring that the entropy of all the inputs Ij be constant. (Indeed, 
these entropies can be adversarily chosen, as in the model of [DPR+13], and can be unknown to the RNG.) 
Also, in our formal and general security model, we do not assume ideal entropy accumulation or inherently 
rely on cryptographic hash functions. In fact, our model is syntactically very similar to the prior RNG 
model of [DPR + 13], except: (1) a premature next call is not considered an unrecoverable state corruption, 
but (2) in addition to the (old) "entropy penalty" parameter 7*, there is a (new) "time penalty" parameter 
/3 > 1, measuring how long it will take to recover from state compromise relative to the optimal recovery 
time needed to receive 7* bits of fresh entropy. (See Figures 2 and 3.) 

To summarize, our model formalizes the problem of designing an efficient recovery mechanism from 
state compromise as an online optimization problem. If we knew the timing of the last compromise and 
the amount of entropy gathered since then, we could stop producing any outputs until the state becomes 
truly random again. However, our challenge is to recover within a time proportional to this optimal solution 
even in the hardest (and most realistic) case in which (a) we know nothing about the timing of the last 
state compromise, and the amount of new entropy injected since then into the state, and (b) any premature 
production of outputs leads to the total loss of all the added entropy used by the RNG, since the attacker can 
use brute force to enumerate all the possible low-entropy states. In other words, the challenge is to develop 
recovery mechanisms which are guaranteed to save the day as quickly as possible after a compromise we 
are not even aware of. The dilemma that we face is that any entropy used prematurely will be lost, and any 
entropy which is kept unused will delay the recovery. 

After extending our model to handle premature next calls, we define the generalized Fortuna construc- 
tion, which is provably robust against premature next. Although heavily inspired by actual Fortuna, the 
syntax of our construction is noticeably different (See Figure 5), since we prove it secure in a stronger model 
and without any idealized assumptions (like perfect entropy accumulation, which, as demonstrated by the 
attacks in [DPR+13], is not a trivial thing to sweep under the rug). In fact, to obtain our construction, we: 
(a) abstract out a rigorous security notion of a (pool) scheduler; (b) show a formal composition theorem 
(Theorem 2) stating that a secure scheduler can be composed with any robust RNG in the prior model 
of [DPR+13] to achieve security against premature next; (c) obtain our final RNG by using the provably 
secure RNG of [DPR+13] and a Fortuna-like scheduler (proven secure in our significantly stronger model). 
In particular, the resulting RNG is secure in the standard model, and only uses the existence of standard 
PRGs as its sole computational assumption. 

Constant-Rate RNGs. In Section 5.4, we consider the actual constants involved in our construction, 
and show that under a reasonable setting or parameters, our RNG will recover from compromise in (3 = 4 
times the number of steps it takes to get 20 to 30 kB of fresh entropy. While these numbers are a bit high, 
they are also obtained in an extremely strong adversarial model. In contrast, remember that Ferguson and 
Schneier informally analyzed the security of Fortuna in a much simpler case in which entropy drips in at 
a constant rate. While restrictive, in Section 6 we also look at the security of generalized Fortuna (with 
a better specialized scheduler) in this model, as it could be useful in some practical scenarios and allow 
for a more direct comparison with the original Fortuna. In this simpler constant entropy dripping rate, 
we estimate that our RNG (with standard security parameters) will recover from a complete compromise 
immediately after it gets about 2 to 3 kB of entropy (see Section 6.2), which is comparable to [FS03]'s 



3 



(corrected) claim, but without assuming ideal entropy accumulation into the state. In fact, our optimized 
constant-rate scheduler beats the original Fortuna's scheduler by almost a factor of 2 in terms of entropy 
efficiency 

Rate Lower Bound. We also show that any "Fortuna-like construction" (which tries to collect entropy 
in multiple pools and cleverly utilize them with an arbitrary scheduler) must lose at least a factor J?(logg) 
in its "entropy efficiency", even in the case where all inputs Ij have an (unknown) constant-rate entropy. 
This suggests that the original scheduler of Fortuna (which used log q pools which evenly divide the entropy 
among them) is asymptotically optimal in the constant-rate case (as is our improved version). 

Semi- Adaptive Set-Refresh. As a final result, we make progress in addressing another important 
limitation of the model of Dodis et al. [DPR + 13] (and our direct extension of the current model that 
handles premature nexts). Deferring technical details to Section 7, in that model the attacker A had very 
limited opportunities to adaptively influence the samples produced by another adversarial quantity, called 
the distribution sampler T>. As explained in there and in [DPR + 13], some assumption of this kind is necessary 
to avoid impossibility results, but it does limit the applicability of the model to some real-world situations. 
As the initial step to removing this limitation, in Section 7.1 we introduce the "semi-adaptive set-refresh" 
model and show that both the original RNG of [DPR+13] and our new RNG are provably secure in this 
more realistic adversarial model. 

Other Related Work. As we mentioned, there is very little literature focusing on the design and analysis 
of RNGs with inputs in the standard model. In addition to [BH05, DPR+13], some analysis of the Linux 
RNG was done by Lacharme, Rock, Strubel and Videau [LRSV12]. On the other hand, many works showed 
devastating attacks on various cryptographic schemes when using weak randomness; some notable examples 
include [GPR06, KSWH98, NS02, CVE08, DGP07, LHA+12, HDWH12]. 

2 Preliminaries 

Entropy. For a discrete distribution X, we denote its min-entropy by H 00 (X) = min $ ^{— logPrLY = x]}. 
We also define worst-case min-entropy of X conditioned on another random variable Z by in the following 
conservative way: Yl 00 (X\Z) = — logQinax^ Vx[X = x\Z = z]]). We use this definition instead of the 
usual one so that it satisfies the following relation, which is called the "chain rule": H^X, Z) — Hoo(Z) > 

Hoopqz). 

Pseudorandom Functions and Generators. We say that a function F : {0, l} e x {0, l} m — > {0, l} m 

is a (deterministic) (t, q-p, e) -pseudorandom function (PRF) if no adversary running in time t and making 
qp oracle queries to F(key, •) can distinguish between F(key, •) and a random function with probability 

greater than e when key {0, 1} . We say that a function G : {0, l} m — > {0, 1}™ is a (deterministic) 
(t,e) -pseudorandom generator (PRG) if no adversary running in time t can distinguish between G(seed) 

$ 

and uniformly random bits with probability greater than e when seed {0, l} m . 

Game Playing Framework. For our security definitions and proofs we use the code-based game-playing 
framework of [BR06]. A game GAME has an initialize procedure, procedures to respond to adversary oracle 
queries, and a finalize procedure. A game GAME is executed with an adversary A as follows: First, initialize 
executes, and its outputs are the inputs to A- Then A executes, its oracle queries being answered by 
the corresponding procedures of GAME. When A terminates, its output becomes the input to the finalize 
procedure. The output of the latter is called the output of the game, and we let GAME" 4 =>■ y denote the 
event that this game output takes value y. „4 GAME denotes the output of the adversary and Adv^ AME = 
2 x Pr[GAME"^ =>■ 1] — 1. Our convention is that Boolean flags are assumed initialized to false and that the 
running time of the adversary A is defined as the total running time of the game with the adversary in 
expectation, including the procedures of the game. 



4 



3 RNG with Input: Modeling and Security 

In this section we present formal modeling and security definitions for RNGs with input, largely follow- 
ing [DPR+13]. 

Definition 1 (RNG with input). An RNG with input is a triple of algorithms Q = (setup, refresh, next) 

and a triple (n,£,p) G N 3 where n is the state length, I is the output length and p is the input length of Q: 

— setup: a probabilistic algorithm that outputs some public parameters seed for the generator. 

— refresh: a deterministic algorithm that, given seed, a state S G {0, l} n and an input I G {0, 1} P , outputs 
a new state S' = refresh(seed, S, I) G {0, l} n . 

— next: a deterministic algorithm that, given seed and a state S G {0, l} n , outputs a pair (S',R) = 
next(seed, S) where S' G {0, 1}™ is the new state and R G {0, l} e is the output. 

Before moving to defining our security notions, we notice that there are two adversarial entities we need 
to worry about: the adversary A whose task is (intuitively) to distinguish the outputs of the RNG from 
random, and the distribution sampler D whose task is to produce inputs ■ ■ ■ , which have high entropy 

collectively, but somehow help A in breaking the security of the RNG. In other words, the distribution 
sampler models potentially adversarial environment (or "nature") where our RNG is forced to operate. 

3.1 Distribution Sampler 

The distribution sampler V is a stateful and probabilistic algorithm which, given the current state a, outputs 
a tuple (a 1 , 1, 7, z) where: (a) a' is the new state for V; (b) / G {0, 1} P is the next input for the refresh 
algorithm; (c) 7 is some fresh entropy estimation of I, as discussed below; (d) z is the leakage about I 
given to the attacker A. We denote by qz> the upper bound on number of executions of T> in our security 
games, and say that V is legitimate if H^^Ij \ I\, . . . , Ij-i, Ij+i, • • • , I qT) , z±, . . . , z qT) ,jQ, . . . , 7^) > jj for 
all j € {1, ... , qv] where (<7j, 7$, z{) = P(<7i_i) for i G {1, . . . , qv} and a 0 = 0. 1 

We explain [DPR + 13]'s reason for explicitly requiring T> to output the entropy estimate jj. Most complex 
RNGs are worried about the situation where the system might enter a prolonged state where no new entropy 
is inserted in the system. Correspondingly, such RNGs typically include some ad hoc entropy estimation 
procedure E whose goal is to block the RNG from outputting output value Rj until the state has not 
accumulated enough entropy 7* (for some entropy threshold 7*). Unfortunately, it is well-known that even 
approximating the entropy of a given distribution is a computationally hard problem [SV03]. This means 
that if we require our RNG Q to explicitly come up with such a procedure E, we are bound to either place 
some significant restrictions (or assumptions) on V, or rely on some hoc and non standard assumptions. 
Indeed, [DPR + 13] demonstrate some attacks on the entropy estimation of the Linux RNG, illustrating how 
hard (or, perhaps, impossible?) it is to design a sound entropy estimation procedure E. Finally, we observe 
that the design of E is anyway completely independent of the mathematics of the actual refresh and next 
procedures, meaning that the latter can and should be evaluated independently of the "accuracy" of E. 

Motivated by these considerations, [DPR + 13] do not insist on any "entropy estimation" procedure as 
a mandatory part of the RNG design. Instead, they place the burden of entropy estimations on V itself. 
Equivalently, we can think that the entropy estimations jj come from the entropy estimation procedure E 
(which is now "merged" with V), but only provide security assuming that E is correct in this estimation 
(which we know is hard in practice, and motivates future work in this direction). 

However, we stress that: (a) the entropy estimates jj will only be used in our security definitions, but 
not in any of the actual RNG operations (which will only use the input / returned by V); (b) we do not 
insist that a legitimate V can perfectly estimate the fresh entropy of its next sample Ij, but only provide a 
lower bound that is legitimate. For example, T> is free to set jj = 0 as many times as it wants and, in this 
case, can even choose to leak the entire Ij to A via the leakage Zj\ More generally, we allow V to inject new 

1 Since conditional min-entropy is defined in the worst-case manner, the value jj in the bound below should not be viewed 
as a random variable, but rather as an arbitrary fixing of this random variable. 
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entropy jj as slowly (and maliciously!) as it wants, but will only require security when the counter c keeping 
track of the current "fresh" entropy in the system 2 crosses some entropy threshold 7* (since otherwise we 
have"no reason" to expect any security). 



3.2 Security Notions 

We define the game R0B(7*) in our game framework. We show the initialize and finalize procedures for 
R0B(7*) in Figure 1. The attacker's goal is to guess the correct value b picked in the initialize procedure 
with access to several oracles, shown in Figure 2. [DPR + 13] define the notion of robustness for an RNG 
with input. In particular, they define the parametrized security game R0B(7*) where 7* is a measure of the 
"fresh" entropy in the system when security should be expected. Intuitively, in this game A is able to view 
or change the state of the RNG (get-state and set-state), to see output from it (get-next), and to update 
it with a sample Ij from V (P-refresh). In particular, notice that the P-refresh oracle keeps track of the 
fresh entropy in the system and declares the RNG to no longer be corrupted only when the fresh entropy 
c is greater than 7*. (We stress again that the entropy estimates 7$ and the counter c are not available to 
the RNG.) Intuitively, A wins if the RNG is not corrupted and he correctly distinguishes the output of the 
RNG from uniformly random bits. 



proc. initialize 


proc. finalize(6*) 


seed A setup; a 4- 0; S A {0, 1}™; c <s— n; corrupt «- false; b A {0, 1} 


IF b = b* RETURN 1 


OUTPUT seed 


ELSE RETURN 0 



Fig. 1: Procedures initialize and finalize for Q — (setup, refresh, next) 



proc. ©-refresh 

S «- refresh^, /) 
c ^— c + 7 
IF c > 7*, 

corrupt <— false 
OUTPUT (7,2) 



proc. next-ror 

(S, Ro) 4- next(S) 

i?i^{0,l}* 

IF corrupt = true, 

c <- 0 

RETURN Ro 
ELSE OUTPUT R b 



proc. get-next 

(S, R) <- next(S') 
IF corrupt = true, 

c<- 0 
OUTPUT 7? 



proc. get-state 

c «— 0; corrupt <— true 

OUTPUT S 

proc. set-state^*) 
c 4— 0; corrupt <— true 

S<- S* 



Fig. 2: Procedures in R0B(7*) for Q = (setup, refresh, next) 



Definition 2 (Security of RNG with input). A pseudorandom number generator with input Q = (setup, 
refresh, next) is called ((t, qx>, qn, qs), 7*, e)-robust if for any attacker A running in time at most t, making at 
most qx> calls to P-refresh, qji calls to next-ror/get-next and qs calls to get-state/set-state, and any legitimate 
distribution sampler V inside the D-refresh procedure, the advantage of A in game R0B(7*) is at most e. 

Notice that in R0B(7*), if A calls get-next when the RNG is still corrupted, this is a "premature" 
get-next and the entropy counter c is reset to 0. Intuitively, [DPR+13] treat information "leaked" from 
an insecure RNG as a total compromise. We modify their security definition and define the notion of 
robustness against premature next with the corresponding security game NR0B(7*, 7 max , /3). Our modified 
game NR0B(7*, 7 max , P) has identical initialize and finalize procedures to [DPR + 13]'s R0B(7*) (Figure 1). 
Figure 3 shows the new oracle queries. The differences with ROB (7*) are highlighted for clarity. 

In our modified game, "premature" get-next calls do not reset the entropy counter. We pay a price 
for this that is represented by the parameter (3 > 1. In particular, in our modified game, the game does 
not immediately declare the state to be uncorrupted when the entropy counter c passes the threshold 7*. 
Instead, the game keeps a counter T that records the number of calls to D-refresh since the last set-state or 

2 Intuitively, "fresh" refers to the new entropy in the system since the last state compromise. 
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get-state (or the start of the game). When c passes 7*, it sets T* <— T and the state becomes uncorrupted 
only after T > f3T* (of course, provided A made no additional calls to get-state or set-state). In particular, 
while we allow extra time for recovery, notice that we do not require any additional entropy from the 
distribution sampler V. 

Intuitively, we allow A to receive output from a (possibly corrupted) RNG and, therefore, to potentially 
learn information about the state of the RNG without any "penalty". However, we allow the RNG additional 
time to "mix the fresh entropy" received from T>, proportional to the amount of time T* that it took to get 
the required fresh entropy 7* since the last compromise. 

As a final subtlety, we set a maximum 7 max on the amount that the entropy counter can be increased 
from one D-refresh call. This might seem strange, since it is not obvious how receiving too much entropy 
at once could be a problem. However, 7 max will prove quite useful in the analysis of our construction. 
Intuitively, this is because it is harder to "mix" entropy if it comes too quickly. Of course 7 max is bounded 
by the length of the input p, but in practice we often expect it to be substantially lower. In such cases, 
we are able to prove much better performance for our RNG construction, even if 7 max is unknown to the 
RNG. In addition, we get very slightly better results if some upper bound on 7 max is incorporated into the 
construction. 



proc. ©-refresh 

S <- refresh (S, J) 
IF 7 > 7 max , THEN 7 <- 7 max 



c c + 7 



IF c > 7*, 

corrupt < — false 




OUTPUT (7,2) 



proc. next-ror 

{S,Ro) <- next(S) 

Ri^{0,l} e 

IF corrupt = true, 

c < 0 

RETURN Ro 
ELSE OUTPUT R b 



proc. get-next 
(S, R) <- next(S) 
IF corrupt = true, 

c < 0 
OUTPUT R 



proc. get-state 
c ^— 0; corrupt «- 



true 



0; T* <- 0 



OUTPUT S 

proc. set-state^*) 
c 0; corrupt «— true 



T <- 0; T* 
S* 



0 



Fig. 3: Procedures in NR0B(7*, 7 max , /3) for Q — (setup, refresh, next) with differences from R0B(7*) highlighted 



Definition 3 (Security of RNG with input against premature next). A pseudorandom number 
generator with input Q = (setup, refresh, next) is called ((i, qx>, qR, qs), 7*, 7max, £, /?)-premature-next ro- 
bust if for any attacker A running in time at most t, making at most qx> calls to P-refresh, qn calls to 
next-ror/get-next and qs calls to get -state/set-state, and any legitimate distribution sampler V inside the 
P-refresh procedure, the advantage of A in game NR0B(7*, 7 max , (3) is at most e. 

Relaxed Security Notions. We note that the above security definition is quite strong. In particular, 
the attacker has the ability to arbitrarily set the state of Q many times. Motivated by this, we present 
several relaxed security definitions that may better capture real-world security. These definitions will be 
useful for our proofs, and we show in Section 4.2 that we can achieve better results for these weaker notions 
of security: 

- NROB reset (7*, 7 max , (3) is NR0B(7*, 7 max , fO) in which oracle calls to set-state are replaced by calls to 
reset-state, reset- state takes no input and simply sets the state of Q to some fixed state So, determined 
by the scheme and sets the entropy counter to zero. 3 

- NROBi set (7*, 7 max , (3) is NR0B(7*, 7 max , (3) in which the attacker may only make one set-state call at 
the beginning of the game. 

- NROBoset(7*, 7max, P) is N R0B(7* , 7 max , (3) in which the attacker may not make any set-state calls. 

3 Intuitively, this game captures security against an attacker that can cause a machine to reboot. 
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We define the corresponding security notions in the natural way (See Definition 3), and we call them 
respectively robustness against resets, robustness against one set-state, and robust without set-state. 

4 The Generalized Fortuna Construction 

At first, it might seem hopeless to build an RNG with input that can recover from compromise in the 
presence of premature next calls, since output from a compromised RNG can of course reveal information 
about the (low-entropy) state. Surprisingly, Ferguson and Schneier presented an elegant away to get around 
this issue in their Fortuna construction [FS03]. Their idea is to have several "pools of entropy" and a special 
"register" to handle next calls. As input that potentially has some entropy comes into the RNG, any entropy 
"gets accumulated" into one pool at a time in some predetermined sequence. Additionally, some of the pools 
may be used to update the register. Intuitively, by keeping some of the entropy away from the register for 
prolonged periods of time, we hope to allow one pool to accumulate enough entropy to guarantee security, 
even if the adversary makes arbitrarily many premature next calls (and therefore potentially learns the 
entire state of the register). The hope is to schedule the various updates in a clever way such that this 
is guaranteed to happen, and in particular Ferguson and Schneier present an informal analysis to suggest 
that Fortuna realizes this hope in their "constant rate" model (in which the entropy 7^ of each input is an 
unknown constant). 

In this section, we present a generalized version of Fortuna in our model and terminology. In particular, 
while Fortuna simply uses a cryptographic hash function to accumulate entropy and implicitly assumes 
perfect entropy accumulation, we will explicitly define each pool as an RNG with input, using the robust 
construction from [DPR + 13] (and simply a standard PRG as the register). And, of course, we do not make 
the constant-rate assumption. We also explicitly model the choice of input and output pools with a new 
object that we call a scheduler, and we define the corresponding notion of scheduler security. In addition 
to providing a formal model, we achieve strong improvements over Fortuna's implicit scheduler. 

As a result, we prove formally in the standard model that the generalized Fortuna construction is 
premature-next robust when instantiated with a number of robust RNGs with input, a secure scheduler, 
and a secure PRG. 

4.1 Schedulers 

Definition 4. A scheduler is a deterministic algorithm SC that takes as input a key skey and a state 
t G {0, l} m and outputs a new state t' G {0, l} m and two pool indices, in, out G NU {-L}. 

We call a scheduler keyless if there is no key. In this case, we simply omit the key and write SC(t). We say 
that SC has P pools if for any skey and any state r, if (r', in, out) = 5C(skey, r), then in, out 6 [0, P— 1]U{_L}. 

Given a scheduler SC with skey and state r, we write 5C 9 (skey, r) = (\v\j{SC, skey, r), outj(SC, skey, t))^ =1 
to represent the sequence obtained by iteratively computing (in, out, r) <SC(skey,r) for q times. When 
SC, skey, and r are clear or implicit, we will simply write i and outj. We think of in.,- as a pool that is to 
be "filled" at time j and out,- as a pool to be "emptied" immediately afterwards. When out; = _L, no bin is 
emptied. 

For a scheduler with P pools, we define the security game SGAME(i- > , q, w m3iX , a, (3) as in Figure 4. In 
the security game, there are two adversaries, a sequence sampler £ and an attacker A. We think of the 
sequence sampler £ as a simplified version of the distribution sampler V that is only concerned with the 
entropy estimates (7i)? =1 - £ simply outputs a sequence of weights {wi) q i=l with 0 < Wi < w max , where we 
think of the weights as normalized entropies Wi =74/7* and tD max = 7max/7*- 

The challenger chooses a key skey at random. Given skey, A chooses a start state for the scheduler To, 
resulting in the sequence (irij, outj)f =1 . Each pool has an accumulated weight Cj, initially 0, and the pools 
are filled and emptied in sequence; on the T-th step, the weight of pool in^ is increased by wt and pool 
outy is emptied (its weight set to 0), or no pool is emptied if out = _L. If at some point in the game a 
pool whose weight is at least 1 is emptied, the adversary loses. (Remember, 1 here corresponds to 7*, so 
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proc. SGAME 

wi, . . . , w q £ 

skey A {0, l} |skey| 

r () «- .4(skey, (w;)Li) 

(inj,outi)? =1 «- SC q (skey, ro) 

c <- 0; Co <- 0, . . . , c P -! <- 0; T* <- 0 

FOR T in 

IF t»i > ™ max , THEN OUTPUT 0 

C <(— C + TOt; Cin T Cin T + WT 

IF out / _L, 

IF c outT > 1, THEN OUTPUT 0 

ELSE c outT «- 0 
IF c> a 

IF T* = 0, THEN T* <— T 

IF T> /3-T*, THEN OUTPUT 1 

OUTPUT 0 



Fig. 4: SGAME(P, g, to m ax, a, /?), the security game for a scheduler SC 

this corresponds to the case when the underlying RNG recovers.) We say that such a pool is a winning 
pool at time T against {tq, W ). On the hand, the adversary wins if Yll=i w i — a an d the game reaches the 
{(3 • T*)-th step (without the challenger winning). Finally, if neither event happens, the adversary loses. 

Definition 5 (Scheduler security). A scheduler SC with P pools is (t, g, w; max , a, /3, e)-secure if for any 
pair of adversaries £, A with cumulative run-time t, the probability that £, A win game SGAME(P, q, w mSuX , a, (3) 
is at most e. We call r = a ■ (3 the competitive ratio of SC. 4 

We note that schedulers are non-trivial objects. Indeed, in Appendix A, we prove the following lower 
bounds, which imply that schedulers can only achieve superconstant competitive ratios r = a • (3. 

Theorem 1. Suppose that SC is a (t,q,w maK ,a,{3,e)-secure scheduler running in time tsc- Let r = a ■ /3 
be the competitive ratio. Then, if q > 3, e < 1/q, t = Q(q ■ {tsc + log?)), and r < w milX y/q, we have that 

r > log e q - log e (l> max ) - log e log e q-1, a> — — • ^^Je^l ' 
4.2 The Composition Theorem 

Our generalized Fortuna construction consists of a scheduler SC with P pools, P entropy pools Qi, and 
register p. The Qi are themselves RNGs with input and p can be thought of as a much simpler RNG with 
input which just gets uniformly random samples. On a refresh call, Fortuna uses SC to select one pool Q- m 
to update and one pool Q out from which to update p. next calls are handled entirely from the register. 

Formally, we define a generalized Fortuna construction as follows: Let SC be a scheduler with P pools 
and let pools Qi = (setup^ refreshj, nextj) for i = 0, . . . , P— 1 be RNGs with input. For simplicity, we assume 
all the RNGs have input length p and output length £, and the same setup procedure, setup, = setupg. We 
also assume G : {0,1}^ — > {0, l} 2e is a pseudorandom generator (without input). We construct a new 
RNG with input Q(SC, (Qi)^S 0 l , G) = (setup, refresh, next) as in Figure 5. 

Theorem 2. Let Q be an RNG with input constructed as above. If the scheduler SC is a (tscQv, w max , a, (3, £sc)- 
secure scheduler with P pools, the pools Qi are ((t,qx>,qR = qv,Qs),l* ,e)-robust RNGs with input and the 

4 The intuition for the competitive ratio r — a ■ f3 (which will be explicit in Section 6) comes from the case when the sequence 
sampler £ is restricted to constant sequences Wi = w. In that case, r bounds the ratio between the time taken by SC to win 
and the time taken to receive a total weight of one. 
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proc. setup : 

seedg <— setupg() 

skey A {0, l} |skey| 

OUTPUT seed = (skey, seedg) 



proc. refresh (seed, S, I) : 

PARSE (skey, seedg) «- seed; (r, S p , (Si)^ 1 

(r, in, out) <— 5C(skey, r) 

5in <— refreshin(seedg, Sin, /) 

(Sout, R) next ou t (seedg, S ou t) 

Sp ^ Sp © 

OUTPUT S=(r,S p ,(S i )^ 0 1 ) 



s 



proc.next(seed, S) : 

PARSE (r,S p ,(S l )fS 0 1 ) 
(S P ,R)^G(S P ) 
OUTPUT (S=(r,S p ,(S i )^ 0 1 ),R) 



Fig. 5: The generalized Fortuna construction 



register G is (t, e prg ) -pseudorandom generator, then Q is ((t' , qx>, q' R , qs), ct • 7*, w ma , x • 7*, e', f3) -premature- 
next robust where t' « min(£, fee) ariC ^ £' = °f> " Qs " (?x> ■ £sc + -P • 2 m • e + ^e pr g)- 
For our weaker security notions, we achieve better e' : 

- For NROB rese t, e' = Qv-Qs-(qve sc + P-e + q' R e prg ). 

- For NROBi set; e' = q v ■ e sc + P ■ 2 m ■ e + q' R e prg . 

- For NROBoset, s' = qr> ■ s sc + P ■ e + q' R e prg . 



4.3 Proof of Theorem 2 

For convenience, we first prove the theorem for the game NROBi set . (Recall that NROBi set is a modified 
version of NROB in which the adversary is allowed only one call to set-state at the start of the game.) We 
then show that this implies security for the game NROB and sketch how to extend the proof to the two 
other notions. 

Let us start with some notation to keep track of the state of the security game NROBi set (a -7*, (3). Most 
importantly, for each of the P component RNGs Qi we will keep track of a counter q and a corruption 
flag corruptj. These implicitly correspond to the notion of corruption in the basic security game ROB. In 
particular, the flags are all initially set to corrupt^ <r- false and Cj 4- n for each of the RNGs. Whenever 
the attacker calls P-refresh on our constructed RNG, it receives sample / with min-entropy at least 7, and 
the scheduler chooses component RNGs G\mGout- Then, we (1) increment c m 4— c m + 7 and if c m > 7* set 
corrupt in <- false (2) if corrupt out = true set c ou t = 0. Whenever the attacker calls set-state or get-state, we 
set all of the flags corrupt^ <- true and q <— 0. 

We also define the flag corrupt^ for the register, which is initially set to corrupt^ <— false. Whenever the 
attacker calls D-refresh and and the component RNG Q ou t selected by the scheduler has corrupt out = false 
then set corrupt p <— false. Whenever the attacker calls set-state, get-state we set corrupt^ <- true. 

We now define a sequence of games: 

1. Game 0 is the NROBi set (a • 7*,/3) security game against Q. 

2. Game i for i = 1, . . . , P is a modified version of Game 0 in which, whenever we call next out at any 
point in the game on a component RNG £ 0 ut for out < i and corrupt out = false, we choose the output 
R <— {0, lY uniformly at random instead of using the output of the RNG. 

3. Game P + 1 is a modified version of Game P where, whenever nextp is called and corrupt^ is set to 
false, we output uniform randomness R <— {0, 1} . 

4. Game P + 2 is the same as Game P + 1, but whenever the corrupt flag (the global compromised flag 
of NROB itself) is set to false we also set corrupt^ to false. 

Let A be an attacker on the NROBi set security game running in time t' and making qx> queries to 
P-refresh, q R queries to get-next or next-ror, qs — 1 queries to get-state, and at most one set-state query at 
the very beginning of the game. In each game, we say that A wins if it guesses the challenge bit b' = b. 

Claim. For each i G {1, . . . P} we have | Pr[„4 wins in Game i — 1] — Pi[A wins in Game i]\ < 2 m e. 
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Proof. We prove this by reduction to the basic robustness game ROB of the underlying RNG Qi. Assume 
that there is some distribution sampler T> attacker A with advantage 8 in distinguishing Game i — 1 and 
Game i. The main idea is to compose the distributions sampler T> and the scheduler SC to create a new 
distribution sampler V that only outputs the samples of V intended for Qi and "leaks" all of the other 
samples to A'. This allows A' to simulate the NROBi set game for A by knowing the entire state of all the 
component RNGs except for Qi. The main subtle issue is that the state of the scheduler may get set by 
the attacker A in the initial set-state call in a way that depends on the seed of the RNG Qi, preventing V 
from learning the correct sequence of input bins. We handle this by simply guessing the initial scheduler 
state ahead of time Try. V then leaks Try to A', and if it happens to be wrong, he just stops the game and 
outputs a random bit b* . 

In particular, we define a distribution sampler T>\ qT> (with hard-coded values in the subscript) as shown 
in Figure 6. We also define A' as in Figure 7 to essentially simulate the NROBi se t game for A by using its 
oracles to get samples for Qi and knowing the state of all other generators. Let T4 be the scheduler state 
chosen by A on set-state or simply the start state of the scheduler if he does not call set-state. Let b c h a i be 
the challenge bit chosen by the ROB (7*) challenger 5 and let b* be the bit guessed by A' (which is uniformly 
random if T4 7^ Try). Conditioned on (b c h a i = 0) A (T4 = Try), the view of A above exactly corresponds to 
Game i — 1 and conditioned on (b c hal = 1) A (r_4 = Try) it corresponds to Game i. Therefore, we have: 

e > Adv*?^ = 2-| Pr[6* = b chal ] ~ \\ > \ ^[b* = l\b chal = 1] - Pr[6* = l\b chal = 0]| 

= Pr[T4 = 7^]|Pr[6* = l\b chal = l,r A = tv] - Pr[6* = \\b chal = 0,r A = t v >}\ > 2~ m 5 

The second line follows because, conditioned on T4 / tx>', the bit 6* is independent of b c h a l- This tells us 
that 5 < 2 m e as we wanted to show. 



proc. V' i:qv (a') : 

IF a' = 0 // initial call 

t {0,1}"\ skey t {0,1}", (in,, out, ^ ^ «SC™ (skey, t 0 ) 

Z 3 am «- 0, Zi eak <- 0 //Two empty queues 

FOR j = 1 . . . qx> : 

{a,I, 1 ,z)lv{a). 

IF irv, = i, THEN Z sam .push((1 , 7, z)) 

ELSE 2; eafc .push((/,7,2:)) 
a' <- Z 3am , J 0 «- 0, 70 0, z 0 (Z ieak , tt>>, skey) 
OUTPUT (cr',/o,7o,^o) 
ELSE 

{1,1, Z) «~ Zsam- P0p() 

OUTPUT (Z sam ,I,f,z). 



Fig. 6: The distribution sampler T>' 

□ 

Next we show that Game P is indistinguishable from Game P + 1. 
Claim. We have | Pr[*4 wins in Game P] — Pr[„4 wins in Game P + 1]| < 2e prg . 

Proof. We prove this by reduction to the PRG security of the underlying "register" G. We simply employ 
a hybrid argument over all calls to this G when corrupt p = false, starting from the earliest, and change the 
output (S p ,R) ^— G(Sp) to being a uniformly random 21 bit value. In each hybrid i the state S p prior to 

5 This does not correspond to the bit 6 chosen by A' in the simulation. 
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proc. D-refresh 

(r, in, out) «— SC(skey, r) 

IF in = i, 

(7,2) <- ROB( 7 *).D-refresh() 

ELSE , 

(1, 7, z) <- Z.pop() 

Sin <— refresh^ (seedg, S n , /) 

Cin C in + 7, C «- C + 7 
IF C in > 7* 

corrupt in 4— false. 
IF out = i, 

R A R0B( 7 *).next-ror() 
ELSE , 

(Sout, iZ) «- next out (seedg, S 0 ut) 
IF corrupt out = true 

Cout ^ 0 

IF out < i AND corrupt out = false, 

R A {0,1}' 

OUTPUT (7,2) 



proc. initialize() 

^{0,1} 

seedg «- R0B(7*).initialize() 
(2,T2,',skey) <- R0B(7*).r'-refresh() 

T4 £ {0, l}" 1 

FOR j G {0,...,P-1}\{»}: 

Sj A {0, 1}" 
FOR j6{0,...,P-l}: 

Cj ^— n, corrupt • ^— false 
c ^— n, corrupt <— false 
OUTPUT seed = (seedg,skey) 

proc. finalize(&*) 

IF tt>i + t a , THEN b* {0, 1} 
OUTPUT R0B(7*).finalize(b*) 

proc. next-ror 

(S pjJ Ro)^G(S p ) 

i?i^{0,l} £ 
IF corrupt = true, 

RETURN Ro 
ELSE OUTPUT R b 



proc. get-next 

(S P ,R)^G(S P ) 
OUTPUT R 

proc. get-state 
corrupt <— true, c ^— 0 
FOR j in 0, . . . , P - 1 

«— 0, corrupt ■ <— tr 
S t <- R0B(7*).get-state() 

OUTPUT S 

proc. set-state(S') 
corrupt «— true, c ^— 0 
PARSE (^.^.(S^f-o 1 )* 
FOR j in 0, . . . , P - 1 



S' 



0, corrupt <— true 



IF 



s, «- s; 



ELSE 



R0B( 7 *).set-state(S;) 



r - 

s a 



TA 

-s' P 



Fig. 7: Responses of A' to oracle queries from A 



the ith call is either (I) the initial value chosen uniformly random, (II) an output of a prior G call and 
therefore uniformly random in this hybrid, (III) some value xored with the output of some pool Q% when 
corrupt^ was set to false and therefore uniformly random. □ 

Next we show that Game P + 1 is indistinguishable from Game P + 2. 
Claim. We have | Pr[_4 wins in Game P + 1] — Pr[.A wins in Game P + 2]| < qv^sc- 

Proof. We prove this by reduction to scheduler security. In particular, Game P+l and P + 2 can only differ 
if in Game P + 1 it happens at some point that the corrupt flag is set to false but corrupt, = true. We call 
this event E^ad- Intuitively, this corresponds to the case where the attacker makes a get-state or set-state 
query (causing corrupt and corrupt p to both be set to true) then sufficient entropy (07*) has been added by 
the entropy sampler and sufficient time (/3T*) passes to ensure that corrupt is set to false, but none of the 
component RNGs Qi managed to get enough entropy to set corrupt^ to false or they were never emptied. 
This corresponds to a failure of the scheduler, and we show how to convert an attacker A and distribution 
V for which Pr[Eb a d] > 6 into an attack £,A' on the scheduler. For convenience, when E^ad occurs, let i* 
be the index of the first entropy sample given after the last get-state, set-state (compromise) query before 
E bad occurs. 

The attackers £,A' guess a random value i £ [qx>] which intuitively corresponds to a guess on i* . 
£ simply runs V for qx> steps to get (among other outputs) the entropy estimates {7?}. It outputs the 
sequence w\ = Ji/'J*,W2 = 71+1/7*,.... The attacker „4'(skey) simply runs a copy of A, V completely 
simulating Game P + l and outputs the state of the scheduler r immediately before the ith D-refresh 
query. It is easy to check that £ , A' win against the scheduler as long as V, A cause the event E^ad to 
happen and the guess i = i* is correct. In particular, the entropy counters a measuring the amount of 
entropy added to each RNG behave the same those in the scheduler security game, up to the scaling factor 
of 7*. Therefore, they have advantage 5/qv which proves the claim. □ 

Claim. We have Pr[„4 wins in Game P + 2] = \. 
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Proof. The attacker's view in Game P + 2 is completely independent of challenge bit b. In particular, the 
next-ror queries with corrupt = false always return a random value no matter what the bit b is. Therefore, 
the attacker's probability of guessing the challenge bit is exactly \. □ 

Combining the above claims, we prove the theorem for the case of NROBi set security. Notice that the 
same proof for the game NROBo se t would not require us to guess the initial state of the scheduler in going 
from Game i — 1 to Game i and would therefore avoid the 2 m factor loss in security. 

We can now generically go from NROBi set security to full NROB security. Indeed, an analogous version of 
the same claim can also be used to go from NROBo se t to NROB reset security with the same loss of parameters. 

Claim. If an RNG satisfies (t, qv, qa, qs, 1* , 7max, £, /3)-NR0Bi set security, then it also satisfies 
(*', Qv, QRi qs, 7*> 7max, s' , /3)-NR0B security where t' « t, e' = q^qse. 

Proof. Let A, T> be any attacker and distribution sampler against NROB with advantage 8. Let us divide 
up the game into at most qs epochs, where each epoch i begins either at the beginning of the game or with 
a set-state query. Let Game 0 be the original NROB game with challenge bit 6 = 0, and let Game i be the 
game where each next-ror query in epoch i with corrupt = false returns a uniformly random R «— {0, 
The output of the game is the output of A. We have |Pr[(Game 0) =>■ 1] — Pr[(Game qs) 1]| = 5/2 
meaning that there is some i such that | Pr[(Game i) 1] — Pr[(Game i + 1) =>- 1]| > 8/(2qs). 

We construct A' ,V with advantage 5/(qsq%,) m the game NROBi set . In particular we guess two addi- 
tional indices j start < jend £ [qv] for the samples used at the beginning and end of epoch i. The distributions 
sampler D' runs T> for qx> times to get all the samples up front, immediately leaks the samples (Ij,jj,Zj) 
for j < jstart an d j > jend, an d on each invocation outputs the samples Zj) starting from j = j s tart 

and incrementing j. The attacker A' simply uses the leaked samples to completely simulate Game i for A 
up until the zth epoch. At that point A' invokes its own challenger for NROBi set with distribution sampler 
V and uses the state given by attacker A in epoch i to make its own set-state query. It then uses its oracles 
to simulate the ilh epoch for A. Finally, at the end of the ith epoch A' again uses the leaked samples to 
simulate the rest of the game for A. If A' didn't guess jstart, jend correctly, it outputs a random bit. Other- 
wise it outputs what A outputs. It's easy to see that if A' guesses correctly and the challenge bit is b = 0 
then the above perfectly simulates (Game i) and if the bit is b = 1 is perfectly simulates (Game i + 1). 
Therefore, the advantage of A' ,V in guessing the challenge bit is 5/(qsq%,), which proves the claim. 

□ 

5 Instantiating the Construction 
5.1 A Robust RNG with Input 

Recall that our construction of a premature-next robust RNG with input still requires a robust RNG with 
input. We therefore present [DPR + 13]'s construction of such an RNG. 

Let G : {0, l} m — > {0, l} n+ * be a (deterministic) pseudorandom generator where m < n. Let [y]^ 1 
denote the first m bits of y G {0, 1}™. [DPR + 13]'s construction of an RNG with input has parameters n 
(state length), I (output length), and p = n (sample length), and is defined as follows: 

- setup(): Output seed = (X, X') <- {0, l} 2n . 

- S' = refresh(S, I): Given seed = (X, X'), current state S £ {0, 1}™, and a sample / G {0, l} n , output: 
S' := S ■ X + I, where all operations are over i^n. 

- (S',R) = next(S): Given seed = {X,X') and a state S G {0, l} n , first compute U = [X' ■ S]f. Then 
output (S',R) = G(U). 

Theorem 3 ( [DPR + 13, Theorem 2]). Let n > m,£, 7* be integers and e ext G (0,1) such that 7* > 
m + 21og(l/e ext ) + 1 andn> m + 2 log(l/e e xt) + log(gr>) + 1- Assume that G : {0, l} m ->• {0, l} n+i is a 
deterministic (t, e prg )-pseudorandom generator. Let Q = (setup, refresh, next) be defined as above. Then Q is 
a ((*') Qv, Qr, Qs),1* \e) -robust RNG with input where t' « t, s = qR(2e prg + q^,£ e xt + 2~ n+1 ). 



13 



[DPR + 13] recommend using AES in counter mode to instantiate their PRG, and they provide a detailed 
analysis of its security with this instantiation. (See [DPR + 13, Section 6.1].) We notice that our construction 
only makes next calls to their RNG during our refresh calls, and Ferguson and Schneier recommend limiting 
the number of refresh calls by simply allowing a maximum of ten per second [FS03]. They therefore argue 
that it is reasonable to set q-p = 2 32 for most security cases (effectively setting a time limit of over thirteen 
years). So, we can plug in qv = QR = Qs = 2 32 . 

With this setting in mind, guidelines of [DPR + 13, Section 6.1] show that our construction can provide a 
pseudorandom 128-bit string after receiving 7q bits of entropy with 7q in the range of 350 to 500, depending 
on the desired level of security. 

5.2 Scheduler Construction 



proc. 5C(skey, r) : 

IF t / 0 mod P/u> max , THEN out <- _L 

ELSE out «- maxjout : r = 0 mod 2 out ■ P/w max } 

in <— F(skey, r) 

t' 4 — t -(- 1 mod q 

OUTPUT (V, in, out) 



Fig. 8: Our scheduler construction 

To apply Theorem 2, we still need a secure scheduler (as defined in Section 4.1). Our scheduler will be 
largely derived from Ferguson and Schneier 's Fortuna construction [FS03], but improved and adapted to our 
model and syntax. In our terminology, Fortuna's scheduler SCjr is keyless with log 2 q pools, and its state is 
a counter r. The pools are filled in a "round-robin" fashion, (e.g., pool i is filled when r = i mod \og 2 q)- 
Every log 2 q steps, Fortuna empties pool i if 2 l divides r/ log 2 q. 

SCjr is designed to be secure against some unknown but constant sequence of weights Wi = w. Roughly, if 
w > 1/2*, then Fortuna will win by the second time that pool i is emptied. 6 We modify Fortuna's scheduler 
so that it is secure against arbitrary (e.g., not constant) sequence samplers by replacing the round-robin 
method of filling pools with a pseudorandom sequence. We also slightly lower the number of pools, and we 
account for w max , as we explain below. 

Assume for simplicity that log 2 log 2 q and log 2 (l/u> max ) are integers. We let P = log 2 q — log 2 log 2 q — 
log 2 (l/u; max ). We denote by skey the key for some pseudorandom function F whose range is {0, . . . , P — 1}. 
Given a state r € {0, . . . , q — 1} and a key skey, we define 5C(skey, r) formally in Figure 8. In particular, 
the input pool is chosen pseudorandomly such that in = F(skey, r). When r = 0 mod P/w max , the output 
pool is chosen such that out is maximal with 2 out • P/w max divides r. (Otherwise, there is no output pool.) 

Theorem 4. // the pseudorandom function F is (i, £p)- secure, then for any e £ (0, 1), the scheduler SC 
defined above is (t' , q, w max , a, (3, esc)- secure with t' t, esc = Q • (sf + e), 

a = 2 • (w max ■ log e (l/e) + 1) • (log 2 q - log 2 log 2 q - log 2 (l/w max )) , and (3 = 4 . 

Remark. Note that we set P = log 2 q — log 2 log 2 q — log 2 (l/w max ) for the sake of optimization. In practice, 
w max = 7max/7* may be unknown, in which case we can safely use log 2 q — log 2 log 2 q pools at a very small 
cost. We can then still obtaining significant savings in a when w max = 7max/7* is small even if w ma , x is 
unknown. In other words, one can safely instantiate our scheduler (and the corresponding RNG with input) 
without a bound on w mSLX , and still benefit if w max happens to be low in practice. 

6 We analyze their construction against constant sequences much more carefully in Section 6. 
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To prove the theorem, we define a sequence of games. Let Game 0 be SGAME(P, q, w max , a, (3) against 

SC. Let Game 1 be Game 0 in which the adversary A is removed and the start state tq is simply selected 
$ 

randomly tq {0, . . . , q — 1}. Let Game 2 be Game 1 with F(skey, •) replaced by H, a uniformly random 
function. 

Claim. For any sequence sampler £ and any adversary A, 

~Pt[A, £ win in Game 0] < q ■ Pi[£ wins in Game 1] 

Proof. Fix A, £■ Let Tq <- {0, . . . , q — 1}, and let E be the event that „4(skey) = Tq. Then, 

Pr[£ wins in Game 1] > Pr[£ wins in Game 1\E\ ■ Pi[E] = - ■ Pr[A,£ win in Game 0] . □ 

Claim. Suppose F is a (t, q, £p)-secure pseudorandom function. Then, for any sequence sampler, £ running 
in time t' ~ t, 

Pr[£ wins in Game 1] < £f + Pr[£ wins in Game 2] . 

Proof. Fix £. We will construct an adversary Af that attempts to distinguish between F under a random 
key and a uniformly random function. 

„4f receives access to a function H, which is either F under a random key or uniformly random. Af then 
simulates £, receiving output (w\, . . . ,w q ). Finally, Af simply simulates Game 1 with (wi) and outputs 
the result of the game. 

Note that _4f outputs exactly the result of (Game 1)^ if H is F under a random key and exactly the 
results of (Game 2) £ when H is a random function. The advantage of Af in the PRF game is therefore 

Pr[<? wins in Game 1] + Pr[£ loses in Game 2] — 1 = Pr[£ wins in Game 1] — Pr[£ wins in Game 2] . 

The result follows from the security of F. □ 

Claim. For any e G (0, 1), let Game 2 as above with f3 = 4, P = log 2 q, l/w m & x an integer, and 

a = 2 • (w max • log e (l/e) + 1) • (log 2 q - log 2 log 2 q - log 2 {l/w max )) . 

Then, for any sequence sampler £ , Pr[£ wins in Game 2] < e. 

Proof. Fix the output of £ , (u>i, . . . , w q ). Let tq G {0, . . . , q — 1} be some start state with the corresponding 
sequence (irij, outj)^ =1 . Note that irij is uniformly random and independent of £,tq. 

Let T* such that w i ^ a - Let J such that 25 ^ w max -T*/P> 2?~ x . (If no such T*,j exist, then 

SC wins by default.) 

We wish to find a pool that was not emptied before time T* but is emptied relatively soon after time 
T* . Call the first such pool to be emptied win and the first time that pool win is emptied T w - In . Note that 
there is at most one k > j such that pool k was emptied before time T*. If such a pool exists, call the first 
time that it is emptied Tfc. Note that 1? ■ P/w max divides + tq. We consider three different cases: 

1. If no such k exists, then some pool whose index is at least j must be emptied by 2 J • Pb/w max , and by 
hypothesis it cannot have been emptied before time T* . So T w - m < 2 3 ■ P/w ma , x . 

2. If k > j, then pool k is emptied at most every 2-'^ • P/w nmx rounds, so the pool emptied at time 

-P/w max cannot be pool k. But, 2 : >-P/w max divides Tfc+2- 7 • P / 'w max +To, so some pool whose index is 
at least j must be emptied at time Tfc+2- 7 -P/w max . Therefore, T w - m = T^+2- 5 -P/w max < T*+2 J ' -P/w max . 

3. If k = j, then 2^' +1 • P/w 

max does not divide + To, and therefore 2- ? ~^ 1 • P/w max must divide + 
2 3 ■ P/w max . So, a pool whose index is greater than j must be emptied at that time. Therefore T w j n < 
T k + 23 ■ P/w max <T* + V ■ P/w 

max' 
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In all cases, 

T win < T* + 2> • P/w max < 2-? +1 • P/ Wmax . 

So T win < pr • T* = 4 • T* = 0 ■ T*. Recall that the scheduler wins if it empties a pool with weight at least 
one at any time before (3 -T*. Therefore, the scheduler wins if win has weight at least one after time T*. 

Let 0 < W wint i < ttJmax be the random variable that takes value Wi if irij = win and 0 otherwise. Then, 
the weight of pool win at time T* is z2i=i Wwin i- 

We recall the standard Chernoff-Hoeffding bound: 

pt[w < (i - s)n] < e -^nwy{2 W ^) 

for any 5 € (0, 1). Plugging in, the probability that the scheduler loses after starting in state tq is at most 



Pr [ £ WW < 1 



i<T* 



Finally, we set e = e 1 Wmax • e 2 »m ax -p and solve for a: 



a = 2 • (w max • log e (l/e) + 1) ■ P 

= 2 • (w max • log e (l/e) + 1) • (log 2 q - log 2 log 2 q - log 2 (l/u) ma x)) • □ 



Putting everything together, for any £,A, 



£SC < Q • Pr[£ wins in Game 1] 

< q ■ (ep + Pr[£^ wins in Game 2]) 

< g • (e F + e) 



5.3 Scheduler Instantiation 



To instantiate the scheduler in practice, we suggest using AES as the PRF F. As in [DPR + 13], we ignore 
the computational error term ep and set esc ~ Q£- 7 m our application, our scheduler will be called only on 
refresh calls to our generalized Fortuna RNG construction, so we again set q = 2 32 . It seems reasonable for 
most realistic scenarios to set w max = 7max/7* ~ 1/16 and esc ~ 2~ 192 , but we provide values for other 
w max and e as well: 





q 


'"max 


a 


P 


P 


2 -128 


2 32 


1/64 


115 


4 


21 


2-128 


2 32 


1/16 


367 


4 


23 


2-128 


2 32 


1/4 


1445 


4 


25 


2-128 


2 32 


1 


6080 


4 


27 



£SC 


q 


'"max 


a 


0 


P 




£SC 


q 


"'max 


a 


P 


P 


2-192 


2 32 


1/64 


144 


4 


21 




2-256 


2 32 


1/64 


174 


4 


21 


2 -l92 


2 32 


1/16 


494 


4 


23 




2-256 


2 32 


1/16 


622 


4 


23 


2-192 


2 32 


1/4 


2000 


4 


25 




2 -256 


2 32 


1/4 


2554 


4 


25 


2 -l92 


2 32 


1 


8476 


4 


27 




2 -256 


2 32 


1 


10,871 


4 


27 



5.4 Putting It All Together 



Now, we have all the pieces to build an RNG with input that is premature-next robust (by Theorem 2). 
Again setting q = 2 32 and assuming w ma , x = j max /j* ~ 32/500 w 1/16, our final scheme can output a 
secure 128-bit key in four times the amount of time that it takes to receive roughly 20 to 30 kilobytes of 
entropy. 

7 [DPR + 13] contains a detailed discussion of the subtleties here and the justification for such an assumption. 
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6 Constant-Rate Adversaries 



We note that the numbers that we achieve in Section 5.4 are not ideal. But, our security model is also 
very strong. So, we follow Ferguson and Schneier [FS03] and consider the weaker model in which the 
distribution sampler D is restricted to a constant entropy rate. While this model may be too restrictive, it 
leads to interesting results, and it suggests that our construction (or, rather, the slight variant suggested in 
Section 6.3) may perform much better against distribution samplers that are not too adversarial. Indeed, if 
we think of the distribution sampler V as essentially representing nature, this might not be too unreasonable. 

Constant-Rate Model. We simply modify our definitions in the natural way. First, we say that a 
distribution (resp., sequence) sampler is constant if, for all i, 7, = 7 (resp., Wi = w) for all i for some 
fixed 7 (resp., w). Second, we say that an RNG with input is ((t, q-DiQR^Qs)-, 7* >7max>£> P) -premature-next 
robust against constant adversaries if it is ((i, qx>, qn, qs), 7*, 7max, £> /3)-premature-next robust when the 
distribution sampler V is required to be constant. Third, we say that a scheduler is (t,q,w m &x,r,e)-secure 
against constant sequences if, for some 8 a, (3 such that a ■ /3 = r it is (i, q, w max , a, (3, e)-secure when the 
sequence sampler £ is required to be constant. When e = 0 and the adversaries are allowed unbounded 
computation (as is the case in our construction), we simply leave out the parameters t and e. 

Finally, we note that our composition theorem, Theorem 2, applies equally well in the constant-rate 
case. In particular, replacing a secure scheduler with a scheduler that is secure against constant sequences 
results in an RNG with input that is premature-next robust against constant adversaries, with identical 
parameters. This will allow us to achieve much better parameters for schedulers and RNGs with input 
against constant adversaries. 

6.1 Optimizing Fortuna's Scheduler 

Ferguson and Schneier essentially analyze the security of a scheduler that is a deterministic version of our 
scheduler from Section 5.2, with pseudorandom choices replaced by round-robin choices [FS03]. (This is, 
of course, where we got the idea for our scheduler.) They conclude that it achieves a competitive ratio of 
21og2Q r . However, the correct value is 31og 2 ?. 9 Ferguson and Schneier's model differs from ours in that 
they do not consider adversarial starting times To between the emptying of pools. Taking this (important) 
consideration into account, it turns out that SCjr achieves a competitive ratio of rjr = 3.51og 2 (/ in our 
model (e.g., for q = 2 32 , we get rjr = 112, as opposed to their claimed value of 64). 10 

Interestingly, the pseudocode in [FS03] actually describes a potentially stronger scheduler than the one 
that they analyzed. Instead of emptying just pool i, this new scheduler empties each pool j with j < i. 
Although Ferguson and Schneier did not make use of this in their analysis, we observe that this would 
lead to significantly improved results provided that the scheduler could "get credit" for all the entropy from 
multiple pools. Unfortunately, our model syntactically cannot capture the notion of multiple pools being 
emptied at once, and this is necessary for our composition theorem (Theorem 2). Fortunately, we notice 
that our model can simulate a multiple-pool scheduler by simply treating any set of pools that is emptied 
together at a given time as one new pool. 

In Appendix B, we make this observation concrete and further optimize the scheduler of Fortuna to 
obtain the following result. 

Theorem 5. For any integer b > 2, there exists a keyless scheduler SCf, that is (q,w majX ,rb)- secure against 
constant sequences where 

r b = (b+^j^ + - — ^P^j ■ (log b g-log b log fe <7-log 6 (l/tf max )) . 

We note that when the sequence sampler £ must be constant, (t, q, w m ax, a, fi, e)-security is equivalent to (t, q, to max , a', /?', e)- 
security if a ■ /3 — a' ■ ft' . 

9 There is an attack: Let w — 1/(2* + 1) and start Fortuna's counter so that pool i + 1 is emptied after T ■ log 2 q steps. Clearly, 
SCjr takes (2' + 2 l+1 ) • log 2 q = 3 • 2 l • log 2 q total steps to finish, achieving a competitive ratio arbitrarily close to 31og 2 q. 
10 This follows from the analysis of our own scheduler in Appendix B. 
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In particular, with w ma , x = 1 and q — > oo, b = 3 is optimal with r$ ps 2.1 log 2 q ~ ~ yj§ ~ TTjT' 

W^e note thatSCb performs even better in the non-asymptotic case. For example, in the case that Ferguson 
and Schneier analyzed, q = 2 32 and u> max = 1, we have r^ ps 58.2 ps saving almost half the entropy 
compared to Fortuna. 

6.2 Constant-Rate Instantiation 

Using the results from above, we note that applying our generalized Fortuna construction with the scheduler 
from Appendix B with b = 3, q = 2 32 , and w max = 1 yields an RNG with input that can achieve a secure 
128-bit key after accumulating 3 to 4.5 kilobytes of entropy from a constant distribution sampler V. So, 
this constant-rate construction (in this restricted setting) is over twenty-five more efficient than our general 
construction. 11 (In Section 6.3, we present a scheduler that achieves these better results in the constant-rate 
case but also achieves the results presented in Section 5 in our stronger model.) 

Ferguson and Schneier claim in [FS03] that their underlying seed (the key for AES in counter mode) 
reaches a secure 128-bit key after receiving what amounts to over 1.7 kilobytes of entropy (after accounting 
for the error and difference in models mentioned in Section 6). However, we note that they implicitly assume 
that their construction achieves perfect entropy accumulation. We achieve formally provable security and 
lose roughly a factor of four from using the construction of [DPR + 13] described in Section 5 to accumulate 
entropy, though due to various optimizations we manage to come within a factor of about 2 of Ferguson 
and Schneier's claim. 

6.3 A Scheduler Secure in Both Worlds 

Recall that in Section 5.2, we construct a secure scheduler, and above we construct a keyless scheduler that 
is secure only against constant sequence samplers but achieves much better parameters. We justify this 
weaker model by arguing that, in practice, a purely adversarial distribution sampler may be too stringent. 
We would like to say that the "true" security of our construction in a "real world" setting lies somewhere in 
between. And, we would like to say that practitioners can use one scheduler that is provably secure in the 
stronger model and achieves excellent parameters when adversaries happen to be friendlier. 

However, this is unfortunately not true for the scheduler that we presented in Section 5.2. Recall that 
this scheduler selected which pool to fill at a given time pseudorandomly, using a PRF. It is not hard to 
see that its performance against constant sequence samplers is only slightly better than its performance 
against arbitrary adversaries. Intuitively, our keyless scheduler distributes weight evenly amongst all of its 
pools, while our more secure scheduler only does so in expectation. As a result, it can put entropy in the 
"wrong pool" with fairly high probability, even in the constant-rate case. 

Luckily, there is a fairly simple solution. Instead of selecting a new pool pseudorandomly at each step, 
we instead choose a pseudorandom permutation of all P pools every P steps. In particular, given a state r 
and a key skey, the scheduler computes ir <— F(skey, [t/P\) where ir is a permutation of P elements, F is a 
pseudorandom function whose range is all permutations on P elements, and P is the number of pools of the 
scheduler. It then fills pool in tt(t mod P). The scheduler can otherwise behave like our scheduler from 
Section 6. It is not hard to see that our proofs of security in both the constant-rate and general case apply 
immediately to this modified scheduler. So, we recommend that practitioners implement this construction. 

7 Relaxing the Seed Independence of the Distribution Sampler 

In this section, we address another limitation of the original model of [DPR + 13], which our model inherits: 
the subtle issue of seed independence. In particular, the model of [DPR+13] does not allow the distribution 
sampler V to have access to the initial seed seed of the RNG with input. 

11 To compare with our previous numbers from Section 5, recall that we had f3 = 4. Therefore, we note that the above scheduler 
achieves such security in four times the amount of time that it takes to receive about 750 bytes to 1.2 kilobytes of entropy. 
These are the proper numbers to compare, though they make less sense in the constant-rate case. 
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As explained by [DPR + 13], this is necessary to some extent, as there is a very simple impossibility 
result when T> knows the seed. Given any RNG with input Q whose input length is p > 2, consider 
V that simply samples ,I qT> uniformly such that next(seed, S qT) ) starts with a 0 where So = 0, and 

Sj = refresh (seed, Sj-i,Ij). Let A be the adversary that simply calls set-state(O), makes qx> calls to D-refresh, 
calls next-ror, and simply outputs the first bit of the resulting output. It is clear that this pair of A and T> 
will break the RNG security, and also that H 00 (/ ? |/i, . . . , Ij-i, Ij+i, ■ ■ ■ I qT> ) ~ p — 1- 

In fact, the original provably secure scheme from [DPR + 13] can be attacked much more dramatically 
(than the above generic attack) by a seed-dependent V. Recall, in that scheme part of the seed X, input /, 
and state S are simply elements in a finite field F2«. Also, if the start start state S is 0 and the distribution 
sampler D samples some random variables l\ , . . . , I qT) , then after qz> refresh calls the resulting state will be 
S = X qT, ^ x l\ + X qT, ~ 2 l2 + . . . + I qT) . This suggests a natural attack: simply let Ij be sampled uniformly 
from {0,X ? ' - * D }. Clearly the distribution sampler provides qjy bits of entropy in this case, but a quick 
check shows that the state S is the sum of uniformly random bits, so it can be only 0 or 1. The distribution 
sampler can therefore provide arbitrarily large amounts of entropy while only letting the state accumulate 
one bit. 

Unfortunately, our generalized Fortuna scheme that is premature-next robust suffers a similar fate, even 
without attacking any of the "pool" RNGs. Indeed, if the distribution sampler V has access to the seed, then 
in particular, it has access to the key skey of the scheduler. T> can therefore choose to only provide entropy 
to pools that will soon be emptied. For example, against our scheduler in Section 5.2, V can provide 1 bit of 
entropy whenever pool 0 will be filled next, and no entropy otherwise. If the adversary A then calls get-next 
repeatedly after every P-refresh call, the RNG will never accumulate any entropy (with high probability). 

To sum up, existing schemes crucially rely on the seed-independence of the distribution sampler, and it 
is also clear that full seed-dependence is impossible. Finding the right (realistic and, yet, provably secure) 
balance between these extremes is an important subject for further research. In the next subsection, we 
make some initial progress along these lines by introducing a somewhat realistic model that effectively 
allows a certain level of seed dependence. 



7.1 Semi- Adaptive set-refresh 



Our extended adversarial model is motivated by the following realistic scenario given by Ferguson and 
Schneier when describing Fortuna [FS03]. They assume that there are several sources of entropy N\, N2, ■ ■ ■ 
contributing the inputs Ij for the P-refresh procedure. Some of these sources might be completely controlled 
by the attacker A, while others are assumed to provide "good" entropy. Of course, since the actual RNG 
does not know the identity of these adversarial sources, they suggest that the RNG should take the inputs 
from N±, N2, ... in a round-robin manner, ensuring that "good" sources periodically contribute fresh entropy 
to the system. 

Semi- Adaptive set-refresh Model. Translating this natural attack scenario to our model (for both ROB 
and NROB), we can think of the union of "good" sources iVj as our original (seed-independent) distribution 
sampler T>, while the union of "bad" source iVj can be modeled by giving the (seed-dependent) attacker A 
access to the simple set-refresh oracle shown in Figure 9. 

Note, in particular, that since set-refresh is called by A, the entropy counter 
c is not incremented during this call. Additionally, since in the above moti- 



proc. set- refresh (J*) vating example the RNG will call the good/bad entropy sources in a round- 
s' «- refresh (S, I ) robin manner, it seems reasonable to make the assumption that the order of 

m , , , set- refresh calls is seed-independent (though, crucially, the values I* in various 

Fig. 9: The set-refresh oracle . , r , ; , A J ' , . A 

set- refresh (I J calls can depend on the seed). Overall, we can think of A and 

V as defining a partially seed-dependent distribution sampler V . 



12 Note that, while this assumption is quite strong, we do not impose a fixed order on the set-refresh calls or assume constant 
entropy from ©-refresh calls as [FS03] do. Indeed, the original Fortuna construction is clearly not secure in our extended 
model even with a constant entropy assumption. 
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We arrive at the following natural extension of robustness, which we call the semi- adaptive set-refresh 
model, where qr> is now the maximal sum of the number D-refresh and the set-refresh calls made by A: 

— V selects a subset of indices JC {1, . . . , g-p} where set-refresh calls will be made. 

- A learns seed and J, and can play the usual ROB/NROB game, except the sequence of its P-refresh and 
set-refresh calls must be consistent with J. I.e., the j-th such call must be set-refresh iff j £ J. 

Security Against Semi-adaptive set-refresh. We observe that the robustness proofs of both the original 
RNG construction of [DPR+13] and our generalized Fortuna construction easily extend to handle semi- 
adaptive set-refresh calls. Indeed, we even achieve identical parameters. 

Interestingly, we are not aware of an attack on [DPR + 13]'s construction even with seed-dependent (i.e., 
fully- adaptive) set- refresh calls, but our current proof crucially uses semi-adaptivity. Unfortunately, our 
attack on generalized Fortuna with a seed-dependent distribution sampler easily extends to an attack using 
seed-dependent (i.e., fully-adaptive) set-refresh calls instead. Indeed, using skey, A can schedule set-refresh 
calls such that P-refresh calls only affect pools that will soon be emptied. 

Theorem 6. The security bound for the RNG of [DPR + 13} given in Theorem 3 extends to the semi- 
adaptive set-refresh model. Similarly, the premature next robustness of the generalized Fortuna scheme given 
in Theorem 2 extends to the semi-adaptive set-refresh model, provided all the pool RNGs Qi are robust in 
the semi-adaptive set-refresh model. 

Since both proofs are simple variants of the original proofs, we will only sketch the key steps required 
to extend both proofs below. 

Extending the Composition Theorem. We first show how to extend the proof of our main composition 
theorem (Theorem 2) to handle semi-adaptive set-refresh. To do so, we need to show how to extend the 
main reduction, mapping the "big" attackers A, V against the composed RNG Q into "small" attackers Ai,T>i 
against the pool RNG Qi, to the semi-adaptive set-refresh setting. Fortunately, this is simple because the 
scheduler key skey in our reduction is selected directly by T>i (See Figure 6) and then immediately passed 
to Ai via leakage. In particular, T>; L can now also compute the index set J , then use skey to "project" this 
set J to whatever calls j £ J will be "routed" to Q, L by the scheduler, and finally pass this "projected set" 
Ji to the challenger. Ai then learns the seed and Jj and can simulate the run of A as before (see Figure 7), 
handling set-refresh calls in the obvious way. 

Extending [DPR + 13]'s Proof. Next, we sketch the changes needed to extend the original proof of 
robustness of the [DPR + 13] construction (see Section 5.1) to handle semi-adaptive set-refresh calls. The proof 
of [DPR + 13] consists of three steps: (1) reducing robustness to two simpler properties called preserving and 
recovering security (See [DPR + 13]'s Theorem 1); (2) showing preserving security; and (3) showing recovering 
security. Step (1) easily extends to semi-adaptive set-refresh calls, provided the notion of recovering security 
is naturally augmented to include semi-adaptive set-refresh calls. Step (2) needs no changing at all (as 
preserving security already gives A access to a fully adaptive set-refresh oracle). Hence, it suffices to show 
how to extend the proof of recovering security in step (3) to a slightly modified version that includes 
set-refresh calls. We present the modified recovery security game together with the preserving security game 
and a modified version of [DPR + 13]'s composition theorem in Appendix C. 

Intuitively, recovering security considers an attacker that sets the state to some arbitrary value Sq and 
starts the distribution sampler V after k calls to D-refresh. Following that, d calls to D-refresh are made, 
resulting in final state S, where d, k are chosen by A such that the corrupt flag is false after the d calls to 
"D-refresh. Then, the attacker A attempts to distinguish the full output (S* , R) <— next(S') from uniform. In 
our modified version, an index set J is chosen by V at the beginning, and the j-th D-refresh call is replaced 
by a set- refresh call if and only if j G J. 

Note that in the recovering game, [DPR + 13]'s RNG with input effectively computes a function of the 
form 

d-i 

r * — -v -i m 

h* XjX ,(I 1 ,...,I d )=[X>.Y,Id- j -Xi] i +[X'.So]? 

j=0 
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and applies a PRG G to the result. [DPR + 13] show that recovering security follows immediately from 
the fact that h* x x , is a good randomness extractor. In particular, if the sum of the conditional min- 
entropies of the input is sufficiently high (i.e., above 7*) and the Ij are chosen independently of X, X', then 
(X, X', h* x x ,(h, • • • j Id)) is e e xt-close to uniform (with e ext defined as in Theorem 3). 

Our key observation is simply that h* x x , is linear. Intuitively, we wish to define three sequences: 

if "^(seed) is the sequence of inputs to refresh calls, including both D-refresh and set-refresh; if is the 
contribution from P-refresh calls; and if (seed ) is the contribution from „4's set-refresh calls. We then want 
to say that h* x x , applied to I- ' is the sum of h* x x , applied to each adversary's contribution. 

In particular, fix A,T>. Let be the distributions sampled by T>; J the index set chosen by T>, 

seed = (X, X') a randomly chosen seed; k, d the (seed-dependent) choices of A; and (I*(seed))j e j the input 

of A to set-refresh calls. Then, formally, we let if = Lf ,A (seed) = Ij and if (seed) = 0 if j ^ j, and 
If (seed) = if ' A (seed) = I* (seed) and if = 0 if j e J. We can then write 

U ■■= h XtX , (iff^seed), . . . , ^(seed)) + [X' • S 0 ]? 

= h* x , x , • • • , If +d ) + h* XjX , (# +1 (seed), . . . , lf +d (seed)) + [X' • S 0 }? . 

Finally, we simply note that if are chosen independently from X, X' (equivalently, they are the output of 
some valid distribution sampler T>'), and therefore the proof of [DPR + 13] implies that (X, X', h* x x'(Ik+i-> ••• ■> 
is e ext close to uniform when the sum of the entropies of the corresponding distributions is sufficiently high. 
This of course immediately implies that X, X', U is also e ext close to uniform. The result, presented below, 
then follows immediately from the proof in [DPR + 13]. 

Theorem 7. Let n > m,£,j* be integers and e ext € (0, 1) such that 7* > m + 21og(l/e ext ) + 1 and n > 
m+21og(l/£ e xt)+log(q , x>)+l- Assume thatG : {0, l} m — > {0, l} n +^ is a deterministic (t,e prg ) -pseudorandom 
generator. Let Q = (setup, refresh, next) be defined as in Section 5. Then Q is a ((t' ,qv,QR,Qs),l* ,£)-robust 
RNG with input in the semi-adaptive set-refresh model where t' ps t, e = qR(2e prg + q^,e eyX + 2~™ +1 ). 

Combining Theorems 6 and 7, we see that the security of the instantiation that we presented in Section 5 
immediately extends to the semi-adaptive set-refresh model with identical parameters. 
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A Proof of Theorem 1 

We prove the two bounds in Theorem 1 as two separate propositions. Note that the first lower bound applies 
even when adversaries are restricted to just constant sequences. 

Proposition 1. For q > 3, let SC be a (t, q, w max , a, f3, e)-secure scheduler against constant-rate adversaries 
running in time tsc- Then, either t = 0{q ■ (tsc + h)gg)) ; e > l/(q — l/w mSiX + 1), or 

r > log e q - log e (l/u; max ) - log e log e q - 1 , 

where r = a • (3 is the competitive ratio. 

Proposition 2. Suppose that SC is a (t, q, w nmx , a, f3, e)-secure scheduler running in time tsc- Then, either 
t = 0(q(t S c + logg)), r 2 > w 2 nax q, £ > l/e, or 

"'max log e (l/e) - 1 

ol j> * 

w m&x + 1 log e log e (l/e) + 1 ' 

where r = a • (3. 

It should be clear that Theorem 1 follows immediately from the two propositions. 



A.l Proof of Proposition 1 

The main step in the proof of Proposition 1 is the following lemma: 

Lemma 1. For any q > 3 let £i be the constant sequence sampler that simply outputs the sequence 
. . . for i = l/w nmxi . . . q. Then, for any keyless scheduler SC with P pools, there exists an i and an 
adversary A such that £i and A win SGAME(P, q, w max , r) for any r > log e q — log e (l/ti; ma x) — log e log e q— 1. 

Furthermore, there exists a single adversary A' that, given any keyless scheduler SC, i, and r, can 
output the t that allows £i to win SGAME(P, q, w nmx , r) against SC (or outputs FAIL if none exists) in time 
0(q ■ (logg + tsc)), where tsc is the run-time of the scheduler. 
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Proof. We assume without loss of generality that l/w m ax is an integer. 

Fix any keyless scheduler SC and start state tq. Given the corresponding sequence (irij, outj)j =1 , we 
define the sequence of "leave times" 61, . . . b q € N U {00} as bj = min{T > j : out^ = in?} (where we adopt 
the convention that min0 = 00). Intuitively, at time T, we imagine the scheduler selecting a pool \r>T in 
which to "throw a ball", and a pool out-p to empty afterwards. The leave time bj is the time at which the 
ball that was "thrown" at time j will "leave the game". 

Let tt be the state of SC after T steps, and let At be the adversary that sets the state of SC to tt- Note 
that SC wins SGAME(P, q, w mSLX , r) against Si, At if and only if there is some set of i balls J C [T+l,T+i-r] 
with bj = bji < T + i ■ r for all j, j' G J. 

We proceed by "marking balls". We first consider |_ Wmax ' 9 j non-overlapping intervals of length r/ziJ max 
in {1, . . . , q}. By hypothesis, there must be at least l/w mSuX balls in each of these intervals that leave at the 
same time in the same interval. We mark all such balls, marking at least 2 — l/w max distinct balls in total. 
Now, consider [ w "^ x ' g j non-overlapping intervals of length 2r/u> max . In each such interval, there must be 
at least 2/w mSuX balls whose leave time is the same and in the interval. We mark these balls. Previously 
no more than l/w ma , x balls that we'd marked had the same leave time, so we must have marked at least 
l/t^max new balls in each interval. Therefore, we've now marked at least ^ + 2^ — 2/w max distinct balls, and 
no set of more than 2/w ma , x balls have the same leave time. 

Proceeding by induction, suppose that after j < [ "' max ' <? j steps, we have marked at least Yjk=i hr ~ 
j/wmax distinct balls, and no set of more than j/w max marked balls have the same leave time. We consider 
L^+fy^J non-overlapping intervals of length (j + 1) • r/w mSLX and note that in each such interval there must 
be (j + l)/u> max balls with the same leave time. So, we mark these and note that we must have marked an 
additional ^ — l/u> max new balls and that no set of more than (j + l)/w max marked balls have the same 
leave time. 

It follows that this procedure will mark at least ^1=™ Fr ~~ ll r t )ans - Recalling that the nth 
harmonic number satisfies H n = J2k=i > l°g e ( n + 1)) ^ follows that we've marked at least 2 . (log e q — 
log e r — log e (l/iu max ) — 1) distinct balls in this way. But, there are only q balls total. It follows that 
r > log e q - log e (l/w max ) - log e log e q-1. 

It remains to construct an A' that finds the winning r in 0{q ■ (tsc + log*?)) time given SC, i, and r. 
A' first computes {Tj) q ~^ in time 0(q • tsc)- Now, as above, A' divides {1, . . . , q} into disjoint intervals of 
length L^;J • For each such interval [T+ 1, T + i -r], A' simply simulates SGAME(P, i-r,r) against Si starting 
at tt- 13 A returns tt if it wins the simulation. If no tt wins, A 1 outputs FAIL. This takes time 0(qlogq). 
(The logg overhead is incurred because A needs to write numbers that could be as large as q.) 

The result follows. □ 

From this, Proposition 1 follows easily. 
Proof of Proposition 1. Fix SC. 

$ 

Let S be the sequence sampler that selects i {1 / w max , . . . , q} and then behaves as the constant 
sequence sampler Si from Lemma 1. Let A be the adversary that behaves as follows: On input skey, A 
produces the keyless scheduler 5C s k ey such that SC s \ <e y(a) = SC(skey,a). A then simulates A' from the 
lemma, which outputs either some state r or FAIL. If A' outputs r, A simply does the same. Otherwise, A 
outputs an arbitrary state. 

By Lemma 1, A runs in time 0(q- (log q+tsc)), anci i£r < log e q — log e (l/u> max ) — log e log e q— 1, then with 
probability at least l/(g— l/iw max + l), this procedure produces an Si, t pair that wins SGAME(P, q, w ma _ x , r) 
against 5C s k ey - The result follows. □ 

A. 2 Proof of Proposition 2 

Proof of Proposition 2. Suppose r 2 < w^ x q. For simplicity, we will assume l/w mSLX is an integer. 
13 Technically, we replace £ < with E[, which outputs a sequence of length i ■ r. 
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Our proof begins similarly to that of Lemma 1. In particular, we let tq be any start state. Let B\, . 



, B„ 



be random variables over the choice of skey corresponding to leave times, Bj = min{T > j : outy = irij}. 
We again think of a ball with weight Wj thrown into pool irij at time j and leaving the game at time Bj. 

Intuitively, our approach will be to first show a pair of adversaries that win if balls take too long to 
leave. We'll then show a pair of adversaries that win if balls leave too quickly. 

In particular, let £ simply output a sequence of a/w max maximum weights followed by Os, (iu max , . . . , w max , 0, . . . 0). 
For any skey and any 1 < T < q, let ry(skey) be the state that SC with skey reaches after T steps, 
starting at tq. Let Ak be the adversary that simply outputs Tk r / Winax (skey) on input skey. Note in or- 
der for SC to win SGAME against £,Ak, it is necessary but not sufficient for there to be some j with 
kr/w max < j < kr/w max + a/to max and Bj < (k + l)r/w max . (Intuitively, there must be some ball that 
enters in the first a/w max steps of the game against Ak and leaves before time r/w max .) 

Now, let A* k be an adversary that for 0 < kl < k selects jk' uniformly at random with k'r/w max < jy < 
k'r/w max + a/w max . If Bj y > (k' + 1) • r/w max , then A* k simply behaves as Ak'- Otherwise, A* k behaves as 
Ak- Let Ek be the event that Bj , < (kf + 1) • r/w max for all k' < k. Note that A* k wins if Ek happens and 
Bj > (k + 1) -r/w 

max f° r a ll j with kr /w max < j • < kr / w max + ot/w max . (To be clear, may win in other 
circumstances as well.) Therefore, 



i -| kr kr + a „ . , . r 
£ > Pr[^fe] • Pr Vj with < j < , Bj > (k + 1) 

Wmax ^max '"mix 



Ek 



Rearranging, we have 



Pv[E k ] - e< Pv[E k ] ■ Pr \^3j with 



kr kr + a „ 

<j< — , Bj <(fc + l) 



^max W 

(fc-r+a)/«i max 

< Pr[E k ] ■ Pr \ B i ^i k + V - 

. . , <- "'max 

j=fc-r/«i max 

— • Pr^] • Pr \B jk <{k + r ' 



Ei 



a 



Ei 



■ Pr[E k+1 ] , 



Ek 



where Bj k is chosen uniformly at random with kr/w max < jk ^ kr/w max + a/w max . So, we have the 
recurrence relation Pr[^] > (w max /a) ■ (Pr[Ek-i] — e), with Pr[^o] = 1- It follows that 



max \ " / u^max \ " "'max 

> - £ 



a 



a 



a ~ w nmx 



Now, let £* be the sequence sampler that randomly selects jk with kr/w mSLX < jk < kr/w max + a/w max 
for all k < (u>max + 1) • o/w max . £* then outputs the sequence [wi) where Wi = w max / '{w max + 1) if i = jk 
for some k and Wi = 0 otherwise. Suppose the event Ek* occurs where k* = (w max + 1) • (a — l)/w max + 1. 
Then, for all k < k*, the jfc-th ball leaves before the j^+i-st ball enters. In particular, £*,Ao win SGAME. 
Therefore, 



£ > Pr[E k *\ > 



ol 



Wry 



a - w max 



It follows that 



a > 



log e (l/e) 



1 



+ 1 log e log e (l/e) + l 



provided that e < 1/e. 

It is easy to see that A* k and £* run in time 0{q(tsc + log*?)), and the result follows. 



□ 
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B Construction of Constant-Rate Scheduler and Proof of Theorem 5 

We first notice that Fortuna's scheduler can be easily modified to use a different base. In particular, for 
any integer b > 2, we define a keyless scheduler, SCb- Roughly, SCb has P b pa log b q pools, numbered 
0, . . . , Pb — 1. The state r £ {0, . . . , q — 1} will just be a counter. The pools are filled in turn, and pool i is 
emptied whenever the counter r divides b l • Pb but not b l+1 • Pb- 

Our actual construction will be slightly more involved than the above, but it is simply an optimized 
version of this basic idea. In particular, we make four changes: 

1. We account for w max by emptying pools when r divides b l ■ Pb/w max , instead of just b % ■ Pb. 

2. We use slightly fewer than \og b q pools, setting Pb = \og b q — log 6 log 6 g — log 6 (l/u> max ). 

3. We do not empty the 0th pool twice in a row. (While this never comes up when b = 2, it is an issue for 
b > 3.) 

4. If pool j will next be emptied sooner than pool i and j > i, we fill pool j instead of pool i. (This 
captures the idea of emptying multiple pools at once from Section 6.) 

For simplicity, we assume that log b log fe g and log 6 (l/io max ) are both integers, and we let Pb = \og h q — 
log 6 log fe <7 — log 6 (l/u> max ). Then, we define SCb as i n Figure 10. 



proc. SCb(r) : 

IF t/0 mod Pt/wmax, THEN out «- _L 
ELSE 

j 4- max{j : r = 0 mod V ■ P,/w max } 

IF j = 0 AND t — Pb/tii max / 0 mod b ■ Pi,/w max 

out <— _L // Don't empty pool 0 twice in a row 
ELSE out <- j 
i 4— t — 1 mod Pb 

/ / Find the next time r* that a pool with index at least i will be emptied 

r* <— min{r* > r : r* = 0 mod b % ■ Pi,/w m ax} 

// Fill the pool emptied at time r* 

in 4— max{in : r* = 0 mod b' n ■ p,/w max } 

t' 4 — T -(- 1 mod q 

OUTPUT (r, in, out) 



Fig. 10: Our keyless scheduler construction 

Theorem 5 shows that this scheme achieves a very good competitive ratio of r b ~ bP b . In Appendix A, 
we show a lower bound in the constant-rate case of r > log e q — log e log e q — log e (l / w max ) — 1 (or r > P e — 1 
in slightly abused notation), so this result is very close to optimal. 

Proof of Theorem 5. Note that £ must output a constant sequence, (w, . . . ,w) with rb/q < w < w max . (If 
w < rb/q, then we win by default.) We assume without loss of generality that 1/w is an integer. 

We first handle the case when w > w max /b. Note that no pool is emptied more than once every — — ■ Pb 
steps and at least one pool is emptied every • Pb steps. So, if w > w max /b, SC b wins as soon as the 

first pool is emptied after ^ • Pb steps, in time at most + ) • P b . It therefore achieves a competitive 
ratio of less than (1 + (b - 1) • -^-) • P b < bP b . 

"'max 

Now, assume w < w max /b. 

Let i > 1 such that > w max /w > ^Ej- Consider the first time a pool whose index is at least i 

is emptied. If it is full on this first emptying, then SCb wins, in time at most b % ■ Pb/w max . Otherwise, let 
T* be the first time such a pool is emptied. Then, SCb wins the next time a pool whose index is greater 
than i is emptied, at time T* +b l ■ Pb/w max . In both cases, SC b achieves a competitive ratio of at worst 
r b = w-{T* + V-P b /w max ). 
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We wish to bound T*. Let j such that V +1 > w nmx ■ T*/P b > 6? . Then, at time T* the pool that is 
emptied has weight at least 



^■[T*/P b \ + -^.Y J b k >w-( 1 - + 



k=0 





+ 


i 


b> +1 - 


M 


Pb 


f max 


6-1 






+ 


1 


'"max 


T* -i 
Pb 




^max 


6- 


- 1 



w ■ T* b 1 + (6 - 1) • w» 

w 



Pb 6-1 (&-!)■ »max 

Note that the above weight is less than one by hypothesis. Applying this and rearranging, 

w . T * < w + (l + w)(b- 1) -w max _ 

6 • Wmax 

Plugging in and recalling that w < w max /b and w max /w > jEf, 

r b < " + (1 Y )(b " 1) "" max -n + — -((6-i)-^ + i)-n 

6 • Wmax !»Tnax V W J 



□ 



s(fi± -^ ast a + x ) . J4+( ,_ 1+ x,. J4 

(, . f max . 1 ^max \ n 

The result follows. 

C Recovering and Preserving Secutity 
C.l Recovering Security 

We consider the following security game with an attacker A, a sampler T>, and bounds <£d,7*. 

— T> sends J C {1, . . . , qj)} to the challenger. 

$ $ 

— The challenge chooses a seed seed <— setup, and a bit 6 <— {0, 1} uniformly at random. It sets o"o := 0. 
For k = 1, . . . , qx>, the challenger computes 

(cr fe , 4, 7fc, ,z fc ) <- X»((7fe_i). 

— The attacker A gets seed, J, and 71, ... , 7 gi) , 21, • • • z qT) - It gets access to an oracle get-refresh () which 
initially sets k := 0 on each invocation increments k := k + 1 and outputs 7^. At some point the attacker 
A outputs a value Sq G {0, l} n , an integer d, and I* for j € J such that k + d < qv and 

E ^>7*- 

fc<j'<fc+d 

— For j = k + 1, . . . , k + d, the challenger computes 

J refresh(5 j _i,/ i ) : j <£ J 
° 3 \ refresh /*) : j 6 J ' 

If 6 = 0 it sets <- next(5 d ) and if 6 = 1 is sets (S^i?) {0, l} n+ ^ uniformly at random. The 

challenger gives Ik+d+i, ■ ■ ■ , Iqx>> an d (S* , R) to .A. 

— The attacker A outputs a bit 6*. 

Definition 6 (Recovering Security). We say that PRNG with input has (t, qj), 7*, e) -recovering security 
if for any attacker A and legitimate sampler V, both running in time t, the advantage of the above game 
with parameters qv-,1* is at most e. 
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C.2 Preserving Security 

We define preserving security exactly as in [DPR+13]. Intuitively, it says that if the state So starts uniformly 
random and uncompromised and is then refreshed with arbitrary (adversarial) samples I±, . . . , Id resulting 
in some final state Sd, then the output (S*,R) <— next(Sd) looks indistinguishable from uniform. 

- The challenger chooses an initial state Sq <r- {0,1}™, a seed seed ^— setup, and a bit b <— {0, 1} uniformly 
at random. 

- The attacker A gets seed and specifies an arbitrarily long sequence of values I\, . . . , Id with Ij £ {0, l} n 
for all j G [d]. 

- The challenger sequentially computes 

Sj = refresh Ij, seed) 

for j = 1, . . . , d. If b = 0 the attacker is given (S* , R) = next(Sd) and if b = 1 the attacker is given 
(S*,R) <- {0,l} n+e . 

- The attacker outputs a bit b*. 

Definition 7 (Preserving Security). A PRNG with input has (t, e) -preserving security if for any at- 
tacker A running in time t, the advantage of A in the above game is at most e. 

C.3 Modified Composition Theorem 

With these modified definitions, [DPR + 13]'s proof of their composition theorem immediately extends to 
handle semi-adaptive set-refresh queries. 

Theorem 8. Assume that a PRNG with input has both (t, e p ) -preserving security and (t, qx>, 7* ,e r ) -recovering 
security as defined above. Then, it is ((i' , q%>, qn, qs),7* ,qn(£r + e p )) -robust in the semi-adaptive set-refresh 
model where t' « t. 
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